The Ubuntu project recently set loose a beta version of its next Linux-based operating system release, known as Ubuntu 9.10 or, more fancifully, as the Karmic Koala. I’ve been testing this in-development Ubuntu version for several weeks now, but this beta milestone seems like a good time to single out a handful of the new or enhanced features that have caught my eye so far.
Karmic will ship with a long list of enhancements and additions, including the sort of core open-source application updates you expect to see with any Linux distribution refresh (new versions of Firefox, OpenOffice.org and the GNOME desktop environment). Beyond these typical updates, however, I’ve taken particular note of changes around disk encryption, tightened system permissions and cloud service integration.
All told, I expect that the 9.10 release will strengthen Ubuntu’s position as the most popular Linux option for desktop and mobile implementations. On the server side of the distribution, the Ubuntu project has covered a lot of ground on private and public cloud deployment options with this release, and eWEEK Labs will investigate these enhancements in an upcoming story.
Given how easily notebooks and netbooks can be lost or stolen, and how easily an unauthorized person can pull sensitive data from an unencrypted disk, no one should be toting a portable computer around without the protection of hard-drive encryption. The past few Ubuntu releases have offered users the option of encrypting all but their boot partitions with block-level encryption, but this feature has been limited to the text-based alternate install disk, which most users pass over in favor of the default LiveCD-based install disk. What’s more, the UNR (Ubuntu Netbook Remix) installer offers no clear path to encrypted hard drives at all.
Rather than build this block-level encryption option into its default installer, the Ubuntu team has been pursuing an encryption scheme that’s layered atop the file system and that targets specific system folders, as opposed to encrypting everything on disk.
Version 8.10 saw the addition of an encrypted Private directory for each user. However, to take advantage of the directory’s protection, users had to copy files into the directory and, for application configuration folders, create symlinks from the folder to the home directory locations where the applications expected to find these folders. In Version 9.04, the team expanded this protection to cover the entire home directory, but the option to trigger this protection was exposed only in the alternate installer.
In Ubuntu 9.10, this home directory encryption option has finally made its way into the default LiveCD installer. During installation, the Ubuntu installer asked me whether I wanted to configure my system for auto-login, for password-protected login or for password-protected login with home directory encryption. Choosing the home directory encryption option also configures the swap partition for encryption, which is important because sensitive data can hang around in swap, even on systems with plenty of RAM.
In contrast to the block-level encryption option, which is still available in the alternate installer, Ubuntu’s home directory encryption should deliver improved performance by ignoring data outside of home or swap directories. Most of what’s in the root directory of an Ubuntu system isn’t particularly sensitive-after all, both the binaries and the source for most of what you’ll find there are available for free public download.
What’s more, this home directory encryption scheme allows for unattended booting (the block-level method requires a passphrase at boot time), as well as for multiple home directories, each encrypted with its own key.
For now, however, systems encrypted in this way lack hibernation support, due to the method used to encrypt the swap partition. With that said, the Ubuntu project is working on a solution for re-enabling hibernation.
Firefox AppArmor Policy
Ubuntu has been shipping with the AppArmor enhanced access control framework since Version 7.10, and while the Ubuntu’s AppArmor implementation has never been promoted or exposed to users as prominently as SELinux has in Red Hat’s Fedora and RHEL distributions, the framework has been making steady progress during the past several Ubuntu releases.
AppArmor bolsters existing Linux access controls by enabling administrators to grant or deny system privileges more granularly than is possible with Linux’s default discretionary access control scheme. Ubuntu 9.10 includes a policy for applying these controls to contain the Firefox Web browser. In the beta release I tested, this policy was inactive by default; I activated it by issuing the command “sudo aa-enforce firefox” and then restarting Firefox.
I took a peek at the Firefox AppArmor policy, which is stored as a fairly readable text file, and noted that the policy denied Firefox access to the folder in my home directory that stores SSH keys-a directory that I’m allowed, by default, to view and edit freely. With typical Linux access controls, the applications I run enjoy the same rights that I do, which means that I-or someone who has taken control of my browser-could read and modify sensitive SSH configuration files in that directory from Firefox. With the AppArmor policy for Firefox enabled, however, I couldn’t access or modify the SSH directory in my home folder.
I’d like to see the Ubuntu project step up its efforts around AppArmor, potentially by extending the project’s Personal Package Archive build service with AppArmor policy generation tools. The other major Linux distribution that ships AppArmor, SUSE, has its own build service, and there may be an opportunity for the two projects to collaborate to bring this functionality to their respective build services.
Last May, Canonical, the company that sponsors Ubuntu, launched a closed beta of a Web storage and synchronization service called Ubuntu One. The service provided 2GB of free online storage space or 10GB of space for $10 a month. The service provided storage synchronization between computers running Ubuntu and a Canonical-run Web service that tapped Amazon’s S3 for storage. Since then, the beta has gone public, the storage cap for paid subscriptions has been raised to 50GB, and the service has expanded beyond file synchronization to take on data sync duties for specific Ubuntu desktop applications.
For instance, the version of the Tomboy note-taking application that comes with Ubuntu 9.10 includes Ubuntu One among its list of note synchronization targets, making it possible to use the Canonical service to keep one’s notes in sync on multiple machines-eventually. So far, I haven’t managed to get this feature to work on my test system. Similar sync options have turned up for contact records used with the distribution’s Evolution mail client and for Firefox bookmarks, both of which rely on the document-oriented database project CouchDB for syncing up with Ubuntu One.
The Ubuntu One service, and its associated client-side components, are definitely still rough around the edges-the Web-based interfaces for viewing notes and browsing files, in particular, could use an overhaul. However, I’m impressed with the promise of these capabilities to bridge the divide between locally run and Web-based applications on the Linux desktop.
Executive Editor Jason Brooks can be reached at [email protected]